nuttycom/aftok - Change I2KHGVD44KT4MQJXGCTVSQKMBO6TVCY72F26TLXGWRL6PHGF6RNQC

Require project permissions for access to most data.

Created by Kris Nuttycombe on February 1, 2015

I2KHGVD44KT4MQJXGCTVSQKMBO6TVCY72F26TLXGWRL6PHGF6RNQC

Dependencies

In channels

main

Change contents

Replacement in server/Main.hs at line 13 [5.5188]

B:BD[3.943] → [4.710:782]

import Quixotic.Api
import Quixotic.Api.Types
import Quixotic.Api.Users

[3.943]

[4.782]

import Quixotic.Snaplet
import Quixotic.Snaplet.Auth
import Quixotic.Snaplet.Users
import Quixotic.Snaplet.WorkLog

Replacement in server/Main.hs at line 50 [5.5188]

B:BD[6.8755] → [7.56:106]

  addRoutes [ ("login", loginHandler (const ok))

[6.8755]

[4.823]

  addRoutes [ ("login", requireLogin >> (redirect "/home"))

File deletion: Api
BF:BFD[4.1049] → [4.1072:1086]
BF:BFD[4.1086] → [4.1071:1071]

File deletion: WorkLog.hs, WorkLog.hs

BFD:BFD[8.547] → [8.1453:1487]

BF:BFD[8.1487] → [8.564:564]

BF:BFD[4.1071] → [4.5388:5422]

BF:BFD[4.5422] → [8.564:564]

B:BD[8.564] → [9.1323:1359]

∅:D[9.1359] → [8.565:602]

B:BD[8.564] → [8.565:602]

B:BD[8.602] → [9.1360:1382]

∅:D[9.1382] → [8.602:1438]

B:BD[8.602] → [8.602:1438]

B:BD[8.1439] → [8.1439:1452]

{-# LANGUAGE NoImplicitPrelude #-}
module Api.Worklog (resource) where
import ClassyPrelude
import Control.Applicative ((<$>))
import Control.Concurrent.STM (atomically, modifyTVar, readTVar)
import Control.Monad.Error (throwError)
import Control.Monad.Reader (ReaderT, asks)
import Control.Monad.Trans (liftIO)
import Data.Set (Set)
import qualified Data.Foldable as F
import qualified Data.Set      as Set
import qualified Data.Text     as T
import Rest (Handler, ListHandler, Range (count, offset), Resource, Void, domainReason, mkInputHandler, mkListing, mkResourceReader, named, singleRead,
             withListing, xmlJsonE, xmlJsonI, xmlJsonO)
import qualified Rest.Resource as R
import ApiTypes (BlogApi, ServerData (..))
import Type.User (User)
import Type.UserInfo (UserInfo (..))
import Type.UserSignupError (UserSignupError (..))
import qualified Type.User     as User
import qualified Type.UserInfo as UserInfo
resource ::

File addition: Snaplet (d--x------)
[4.1049]

File addition: Auth.hs (----------)

[0.182]

module Quixotic.Snaplet.Auth where
import ClassyPrelude 
import Control.Lens
import Control.Monad.State
import Data.ByteString (split)
import Data.Attoparsec.ByteString 
import qualified Data.ByteString.Base64 as B64
import Quixotic
import Quixotic.Database
import Quixotic.Snaplet
import Snap.Core
import Snap.Snaplet
import Snap.Snaplet.PostgresqlSimple
import qualified Snap.Snaplet.Auth as AU
type AuthHeader = (Text, ByteString)
authHeaderParser :: Parser AuthHeader
authHeaderParser = do
  let isBase64Char w = (w >= 47 && w <= 57 ) ||
                       (w >= 64 && w <= 90 ) ||
                       (w >= 97 && w <= 122) ||
                       (w == 43 || w == 61 )
  b64     <- string "Basic" *> takeWhile1 isBase64Char 
  decoded <- either fail pure $ B64.decode b64
  case split 58 decoded of
    (uname : pwd : []) -> pure $ (decodeUtf8 uname, pwd)
    _ -> fail "Could not unpack auth header into username and password components"
requireLogin :: Handler App App AU.AuthUser 
requireLogin = do
  req <- getRequest
  rawHeader    <- maybe throwChallenge pure $ getHeader "Authorization" req
  (uname, pwd) <- either (throwDenied . AU.AuthError) pure $ parseOnly authHeaderParser rawHeader 
  authResult   <- with auth $ AU.loginByUsername uname (AU.ClearText pwd) False
  either throwDenied pure authResult
requireUser :: Handler App App AU.AuthUser 
requireUser = do 
  currentUser <- with auth AU.currentUser
  maybe requireLogin pure currentUser
requireUserId :: Handler App App UserId
requireUserId = do
  QDB{..} <- view qdb <$> with qm get
  currentUser <- requireLogin
  qdbUser <- case UserName . AU.unUid <$> AU.userId currentUser of 
    Nothing -> snapError 403 "User is authenticated, but session lacks user identifier"
    Just n  -> liftPG . runReaderT $ findUserByUserName n
  case qdbUser of
    Nothing -> snapError 403 "Unable to retrieve user record for authenticated user" 
    Just u -> pure (u ^. userId)
requireProjectAccess :: UserId -> Handler App App ProjectId
requireProjectAccess uid = do
  pidMay <- getParam "projectId"
  case ProjectId <$> (readMay =<< fmap decodeUtf8 pidMay) of
    Nothing  -> snapError 403 "Value of parameter projectId could not be parsed to a valid value."
    Just pid -> error $ "FIXME: implement project access check - got pid " ++ " " ++ show uid ++ " " ++ show pid
throwChallenge :: MonadSnap m => m a
throwChallenge = do
    modifyResponse $ (setResponseStatus 401 "Unauthorized") . 
                     (setHeader "WWW-Authenticate" "Basic realm=quixotic")
    getResponse >>= finishWith
throwDenied :: MonadSnap m => AU.AuthFailure -> m a
throwDenied failure = do
    modifyResponse $ setResponseStatus 403 "Access Denied"
    writeText $ "Access Denied: " <> tshow failure
    getResponse >>= finishWith

File move: Users.hs → Users.hs
BF:BFD[4.1071] → [4.5354:5386]
BF:BF[4.5386] → [4.3234:3234]
[0.182]
[4.3234]
Replacement in server/Quixotic/Snaplet/Users.hs at line 1 [4.3234]
B:BD[4.3234] → [10.44:94]
```
{-# LANGUAGE TemplateHaskell, RecordWildCards #-}
```
[4.3234]
[4.3411]
```
{-# LANGUAGE TemplateHaskell #-}
```

Replacement in server/Quixotic/Snaplet/Users.hs at line 3 [4.3234]

B:BD[4.3412] → [4.3412:3476]

module Quixotic.Api.Users 
  ( loginHandler
  , registerHandler

[4.3412]

[4.3476]

module Quixotic.Snaplet.Users 
  ( registerHandler

Deletion in server/Quixotic/Snaplet/Users.hs at line 12 [4.3234]
∅:D[10.165] → [4.3510:3624]
B:BD[4.3510] → [4.3510:3624]
```
import Data.ByteString (split)
import Data.Attoparsec.ByteString 
import qualified Data.ByteString.Base64 as B64
```
Replacement in server/Quixotic/Snaplet/Users.hs at line 14 [4.3234]
∅:D[10.229] → [4.3624:3650]
B:BD[4.3624] → [4.3624:3650]
```
import Quixotic.Api.Types
```
[10.207]
[4.3650]
```
import Quixotic.Snaplet
import Quixotic.Snaplet.Auth
```

Deletion in server/Quixotic/Snaplet/Users.hs at line 21 [4.3234]

∅:D[10.267] → [4.3729:4305]

B:BD[4.3729] → [4.3729:4305]


data AuthHeader = AuthHeader Text ByteString
authHeaderParser :: Parser AuthHeader
authHeaderParser = do
  let isBase64Char w = (w >= 47 && w <= 57 ) ||
                       (w >= 64 && w <= 90 ) ||
                       (w >= 97 && w <= 122) ||
                       (w == 43 || w == 61 )
  b64     <- string "Basic" *> takeWhile1 isBase64Char 
  decoded <- either fail pure $ B64.decode b64
  case split 58 decoded of
    (uname : pwd : []) -> pure $ AuthHeader (decodeUtf8 uname) pwd
    _ -> fail "Could not unpack auth header into username and password components"

Deletion in server/Quixotic/Snaplet/Users.hs at line 36 [4.3234]

B:BD[4.4425] → [4.4425:4618]

B:BD[4.4618] → [11.1622:1763]

∅:D[11.1763] → [4.4727:4848]

B:BD[4.4727] → [4.4727:4848]

loginHandler :: (AU.AuthUser -> Handler App App a) -> Handler App App a
loginHandler onSuccess = do
  req <- getRequest
  rawHeader <- maybe throwChallenge pure $ getHeader "Authorization" req
  let parsedHeader = parseOnly authHeaderParser rawHeader 
  (AuthHeader uname pwd) <- either (throwDenied . AU.AuthError) pure parsedHeader
  authResult <- with auth $ AU.loginByUsername uname (AU.ClearText pwd) False
  either throwDenied onSuccess authResult

Deletion in server/Quixotic/Snaplet/Users.hs at line 45 [4.3234]

∅:D[10.1083] → [4.4907:5353]

B:BD[4.4907] → [4.4907:5353]

B:BD[4.5353] → [10.1084:1085]


throwChallenge :: MonadSnap m => m a
throwChallenge = do
    modifyResponse $ (setResponseStatus 401 "Unauthorized") . 
                     (setHeader "WWW-Authenticate" "Basic realm=quixotic")
    getResponse >>= finishWith
throwDenied :: MonadSnap m => AU.AuthFailure -> m a
throwDenied failure = do
    modifyResponse $ setResponseStatus 403 "Access Denied"
    writeText $ "Access Denied: " <> tshow failure
    getResponse >>= finishWith

File move: Api.hs → WorkLog.hs
BF:BFD[4.1049] → [4.6951:6981]
BF:BF[4.6981] → [4.5424:5424]
[0.182]
[4.5424]

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 1 [4.5424]

B:BD[4.5424] → [4.5425:5521]

{-# LANGUAGE FlexibleInstances #-} 
{-# LANGUAGE TemplateHaskell #-}
module Quixotic.Api where

[4.5424]

[4.5521]

module Quixotic.Snaplet.WorkLog where

Deletion in server/Quixotic/Snaplet/WorkLog.hs at line 8 [4.5424]
B:BD[4.5625] → [4.5625:5641]
```
import Data.Map
```
Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 14 [4.5424]
B:BD[4.5729] → [4.5729:5755]
```
import Quixotic.Api.Types
```
[4.5729]
[4.5755]
```
import Quixotic.Snaplet
import Quixotic.Snaplet.Auth
```
Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 22 [4.5424]
B:BD[4.5881] → [4.5881:5933]
```
logWorkHandler evType = requireUserId $ \uid -> do 
```
[4.5881]
[4.5933]
```
logWorkHandler evType = do 
```

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 24 [4.5424]

B:BD[4.5971] → [12.4067:4127]

  pid <- getParam "projectId"
  checkProjectAccess pid uid

[4.5971]

  uid <- requireUserId
  pid <- requireProjectAccess uid

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 35 [4.5424]
B:BD[4.6393] → [4.6393:6436]
```
loggedIntervalsHandler = requireLogin $ do
```
[4.6393]
[4.6436]
```
loggedIntervalsHandler = do
```

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 37 [4.5424]

B:BD[4.6474] → [4.6474:6518]

  widx <- liftPG $ runReaderT readWorkIndex

[4.6474]

[4.6518]

  uid <- requireUserId 
  pid <- requireProjectAccess uid
  widx <- liftPG . runReaderT $ readWorkIndex pid

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 41 [4.5424]

B:BD[4.6581] → [4.6581:6631]

  writeLBS . A.encode $ mapKeys (^. address) widx

[4.6581]

[4.6631]

  writeLBS . A.encode . fmap (fmap IntervalJ) $ mapKeysWith (++) (^. address) widx

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 44 [4.5424]
B:BD[4.6669] → [4.6669:6705]
```
payoutsHandler = requireLogin $ do 
```
[4.6669]
[4.6705]
```
payoutsHandler = do 
```

Insertion in server/Quixotic/Snaplet/WorkLog.hs at line 46 [4.5424]

[4.6744]

  uid <- requireUserId 
  pid <- requireProjectAccess uid
  widx <- liftPG . runReaderT $ readWorkIndex pid

Deletion in server/Quixotic/Snaplet/WorkLog.hs at line 50 [4.5424]
B:BD[4.6779] → [4.6779:6823]
```
  widx <- liftPG $ runReaderT readWorkIndex
```
Insertion in server/Quixotic/Snaplet/WorkLog.hs at line 52 [4.5424]
[12.4266]
File move: Types.hs → Snaplet.hs
BF:BFD[4.1071] → [4.3200:3232]
BF:BF[4.3232] → [4.1088:1088]
[4.1049]
[4.1088]

Replacement in server/Quixotic/Snaplet.hs at line 1 [4.1088]

B:BD[4.1088] → [4.1089:1158]

{-# LANGUAGE FlexibleInstances #-} 
{-# LANGUAGE TemplateHaskell #-}

[4.1088]

[4.1158]

{-# LANGUAGE TemplateHaskell, FlexibleInstances #-}

Replacement in server/Quixotic/Snaplet.hs at line 3 [4.1088]
B:BD[4.1159] → [4.1159:1191]
```
module Quixotic.Api.Types where
```
[4.1159]
[4.1191]
```
module Quixotic.Snaplet where
```
Deletion in server/Quixotic/Snaplet.hs at line 12 [4.1088]
B:BD[4.1325] → [12.3961:3977]
```
import Quixotic
```

Deletion in server/Quixotic/Snaplet.hs at line 44 [4.1088]

B:BD[4.2227] → [4.2227:2906]

B:BD[4.2906] → [12.3978:4041]

B:BD[12.4041] → [2.1498:1529]


requireLogin :: Handler App App a -> Handler App App a
requireLogin = AU.requireUser auth (redirect "/login")
requireUserId :: (UserId -> Handler App App a) -> Handler App App a 
requireUserId hf = AU.requireUser auth (redirect "/login") $ do
  QDB{..} <- view qdb <$> with qm get
  authedUser <- with auth AU.currentUser
  qdbUser <- case UserName . AU.unUid <$> (AU.userId =<< authedUser) of 
    Nothing -> snapError 403 "User is authenticated, but session lacks user identifier"
    Just n  -> liftPG . runReaderT $ findUserByUserName n
  case qdbUser of
    Nothing -> snapError 403 "Unable to retrieve user record for authenticated user" 
    Just u -> hf (u ^. userId)
checkProjectAccess :: ProjectId -> UserId -> Handler App App a
checkProjectAccess = undefined

Insertion in server/Quixotic/Snaplet.hs at line 55 [4.1088]
[4.3199]

Require project permissions for access to most data.

Dependencies

In channels

Change contents

Replacement in server/Main.hs at line 13 [5.5188]

Replacement in server/Main.hs at line 50 [5.5188]

File deletion: Api

File deletion: WorkLog.hs, WorkLog.hs

File addition: Snaplet (d--x------)

File addition: Auth.hs (----------)

File move: Users.hs → Users.hs

Replacement in server/Quixotic/Snaplet/Users.hs at line 1 [4.3234]

Replacement in server/Quixotic/Snaplet/Users.hs at line 3 [4.3234]

Deletion in server/Quixotic/Snaplet/Users.hs at line 12 [4.3234]

Replacement in server/Quixotic/Snaplet/Users.hs at line 14 [4.3234]

Deletion in server/Quixotic/Snaplet/Users.hs at line 21 [4.3234]

Deletion in server/Quixotic/Snaplet/Users.hs at line 36 [4.3234]

Deletion in server/Quixotic/Snaplet/Users.hs at line 45 [4.3234]

File move: Api.hs → WorkLog.hs

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 1 [4.5424]

Deletion in server/Quixotic/Snaplet/WorkLog.hs at line 8 [4.5424]

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 14 [4.5424]

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 22 [4.5424]

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 24 [4.5424]

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 35 [4.5424]

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 37 [4.5424]

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 41 [4.5424]

Replacement in server/Quixotic/Snaplet/WorkLog.hs at line 44 [4.5424]

Insertion in server/Quixotic/Snaplet/WorkLog.hs at line 46 [4.5424]

Deletion in server/Quixotic/Snaplet/WorkLog.hs at line 50 [4.5424]

Insertion in server/Quixotic/Snaplet/WorkLog.hs at line 52 [4.5424]

File move: Types.hs → Snaplet.hs

Replacement in server/Quixotic/Snaplet.hs at line 1 [4.1088]

Replacement in server/Quixotic/Snaplet.hs at line 3 [4.1088]

Deletion in server/Quixotic/Snaplet.hs at line 12 [4.1088]

Deletion in server/Quixotic/Snaplet.hs at line 44 [4.1088]

Insertion in server/Quixotic/Snaplet.hs at line 55 [4.1088]